This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1304504 - (CVE-2016-2533) CVE-2016-2533 python-pillow: Buffer overflow in PCD decoding
CVE-2016-2533 python-pillow: Buffer overflow in PCD decoding
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140324,repor...
: Security
: 1305004 (view as bug list)
Depends On:
Blocks: 1298877 1305006
  Show dependency treegraph
 
Reported: 2016-02-03 15:38 EST by Stefan Cornelius
Modified: 2016-11-08 10:49 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Cornelius 2016-02-03 15:38:36 EST
A heap-based buffer overflow flaw was reported in Pillow's PCD decoding. By tricking an unsuspecting user or automated script into processing a specially crafted PCD image file, an attacker could cause the Python process to crash, or, potentially, execute arbitrary code with the privileges of the Python script processing the image.

The problem is that the "ImagingPcdDecode()" function in PcdDecode.c increases a the unpack buffer pointer by 4 bytes (=32bit color), although the buffer is only supposed to hold 24bits of color (=3 bytes). This ultimately leads to an array indexing error resulting in an out-of-bounds write.

oss-security post:
http://www.openwall.com/lists/oss-security/2016/02/02/5

Upstream bug report:
https://github.com/python-pillow/Pillow/issues/568

Patch:
https://github.com/wiredfool/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4
Comment 3 Stefan Cornelius 2016-02-08 04:09:20 EST
*** Bug 1305004 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Cornelius 2016-02-22 07:29:10 EST
This still needs a CVE. A request has been sent to oss-sec before, but I don't think one was ever assigned. I've asked for an update:
http://www.openwall.com/lists/oss-security/2016/02/22/1
Comment 5 Andrej Nemec 2016-02-22 10:41:14 EST
CVE assignment:

http://www.openwall.com/lists/oss-security/2016/02/22/2

Note You need to log in before you can comment on or make changes to this bug.